The Data Protection and Digital Information Bill (DPDI Bill) introduced in the House of Commons on 18 July 2022, includes a range of reforms relevant to the accountability and governance obligations of organisations. These reforms reflect a stated objective of the government to seek to reduce the burden on business associated with administering data protection compliance.

Accountability is a broad concept and in a data protection context can be associated with actions or measures that help assess risk or deliver and demonstrate compliance with data protection standards, as part of a personal data governance programme.  There is a specific obligation on controllers in Article 5(2) of the UK GDPR that they shall "be responsible for, and be able to demonstrate compliance…('accountability')" in relation to the data protection principles. This obligation also sits alongside a range of other record keeping, risk assessment and evidence-based compliance requirements on controllers and processors as part of delivering or demonstrating compliance. The cumulative nature of these obligations had been considered in some quarters to place an overly heavy administrative burden on controllers and, where applicable, processors.

The government's post-Brexit data strategy consultation leading up to the publication of the DPDI Bill, considered among other matters, a range of ways to reduce the data protection compliance burden on business.   Those who were hoping for radical change reflecting rhetoric associated with the UK freeing itself from EU red tape, will likely be disappointed.  The DPDI Bill seeks to walk a middle line between providing more flexibility and aiming to maintain those protections necessary to preserve the UK's EC adequacy decision for EU-UK data exports.

Certain measures represent more of a subtle softening of the existing provisions or provide further interpretative guidance. Other changes arguably have questionable benefit beyond change for change's sake, and a few may, in fact, give rise to additional compliance requirements.

Those core reforms proposed in the DPDI Bill that can be seen as more directly associated with accountability and governance are outlined below.

Data Protection Officer

The current requirement to appoint a Data Protection Officer (DPO) is replaced by an obligation to appoint a Senior Responsible Individual (SRI) in cases where processing is by a public authority or is likely to result in "high risk" to individuals.

The SRI must be part of the organisation's senior management rather than being an independent officer who reports to management. The tasks of the SRI are, however, broadly similar to those of the DPO, although the SRI tasks do make more express reference to dealing with personal data breaches and handling complaints which are not at present directly allocated as DPO tasks.

It remains to be seen whether high risk processing will amount to a higher appointment threshold than now or how businesses with an existing DPO will align that role with that of the SRI. The DPDI Bill sets out that if an activity gives rise to a conflict, then the task must be performed by another person with appropriate qualifications and knowledge of data protection law (who must not be instructed about performance of the task).  The intention therefore may be to enable more flexibility within existing management structures where no conflict arises (although such conflicts are, in our view, likely to be difficult to avoid in practice).

Records of Processing

The obligation to maintain records of processing is replaced with an obligation to maintain appropriate records of processing. This obligation does not apply where there are fewer than 250 staff unless "high risk" processing is involved.  The minimum list of required controller records now excludes information about the categories of personal data or subjects, however a requirement to record who the controller has or will share personal data with, could be interpreted as being more prescriptive than the current obligation to keep records about the categories of recipients. The processor record of processing is also slimmed down to at least the name and contact of each controller acted for, where the data is located and, where possible, information about how the personal data is kept secure.

Data Protection Impact Assessments

The requirement to conduct a Data Protection Impact Assessment (DPIA) is replaced with a requirement to make an "assessment of high risk processing". This assessment is limited to the purposes of processing, the necessity of that processing for those purposes, the risks to individuals and how the controller proposes to mitigate those risks. Further, the obligation to consult the Information Commissioner (ICO) where the outcome of the assessment indicates a high risk in the absence of mitigation measures, is replaced with the option to voluntarily consult. In terms of prior ICO consultation, it remains likely that any formal action by the ICO associated with high risk processing would take account of whether a controller opted to consult. In practice this may mean that those organisations seeking to mitigate potential high risk may still choose to consult the ICO.

EU Representative

For controllers based outside the UK without any other UK establishment and falling within the scope of Article 3(2) of the UK GDPR, it is proposed that the obligation to appoint a UK representative is removed. This will likely come as welcome news to those who have had to resort to paying for outsourced service providers to fulfil this function on their behalf.

Subject rights

The DPDI Bill includes a revised threshold for refusing subject rights requests or charging a fee where these requests are vexatious or excessive, rather than the current test of being manifestly unfounded or excessive requests.  Considerations and examples to help determine vexatious or excessive requests are also provided although certain of those tests appear to draw on existing interpretive guidance provided by the ICO. In practice this means the significance of this change is yet to be fully determined. On balance these changes may offer some assistance, particularly in those cases where subject access requests are made in bad faith, with the aim of causing distress, or are an abuse of process.  The Bill also helpfully adds that the time limits for responding are triggered only once any information needed to verify the identity of a requestor or to locate the information held is provided by the requestor.

Complaints handling

The DPDI Bill includes new provisions requiring controllers to facilitate the making of complaints (such as by providing a complaint form) and to acknowledge all received complaints within 30 days in addition to taking appropriate steps to respond and inform the complainant of the outcome. It is unclear why it was felt this addition was necessary given the current overlap with obligations relevant to responding to requests. However this requirement is unlikely to result in organisations needing to make material changes to their complaint handling processes in practice.

Reporting obligations

There are no material changes to general personal data breach reporting obligations for controllers, however the DPDI Bill does propose a new reporting obligation to the ICO by providers of public electronic communications services such as ISPs or telcos. This obliges electronic communications service providers to notify the ICO if they suspect a person is contravening direct marketing regulations (for example by making unsolicited calls or electronic communications). Failure to report within 28 days of that suspicion could result in a £1,000 fixed penalty. Further information on the government's wider proposals relevant to privacy and electronic communications, including cookies and marketing can be found here.

What does this mean?

The DPDI Bill as originally drafted mainly represents a softening of certain compliance requirements but not to the extent that this marks a significant departure from those current obligations relevant to accountability. Further, what constitutes high risk processing which is a new threshold test for obligations relevant to SRIs, appropriate records of processing and assessments of high risk processing is not defined in the DPDI Bill. This means further guidance will be required before a real assessment of any benefits of those changes can be made.  It is worth noting that at this stage, the DPDI Bill has only passed through its first reading in Parliament.  A planned second reading was postponed following the change of Prime Minister to allow "Ministers to further consider this legislation", so further amendments may take place as the DPDI Bill passes through the legislative process.